Azure function with NSG and NSG FLow logs

Question

Azure function with NSG and NSG FLow logs

Amar-Azure-Practice 661

Hi

I have an Azure functionApp with ASP, I have integrated with VNET/Subnet (FunctionAppSubnet) to the Azure function.
Added one Http trigger function to write the data to Azure storage.
Tested this function working as expected.

I have enabled the NSG Flow logs on the NSG that is associated to the Subnet(FunctionAppSubnet) and selected the storage account to log all NSG logs to capture IB/OB traffic flowing thru the NSG.
But the Storage account associated to NSG flow logs is not capturing any logs.

ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2022-05-23T22:53:05.173+00:00

Hello @Amar-Azure-Practice , Thank you for reaching out.

Can you please confirm which App Service Environment version you have set-up? If you are using App Service Environment V3 it currently does not support NSG flow logs. The limitation is currently documented here.
Amar-Azure-Practice 661 Reputation points

2022-05-24T01:38:42.73+00:00

Hi
I am not using the ASE, i have created ASP (B1: 1) and running only one function app with in ASP.

1 answer

Your answer

ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2022-05-23T22:53:05.173+00:00

Hello @Amar-Azure-Practice , Thank you for reaching out.

Can you please confirm which App Service Environment version you have set-up? If you are using App Service Environment V3 it currently does not support NSG flow logs. The limitation is currently documented here.
Amar-Azure-Practice 661 Reputation points

2022-05-24T01:38:42.73+00:00

Hi
I am not using the ASE, i have created ASP (B1: 1) and running only one function app with in ASP.

Answer 1

ChaitanyaNaykodi-MSFT 27,476 Microsoft Employee Moderator

Hello @Amar-Azure-Practice ,

Thank you for your response, my bad I miss read it as ASE from your question.

NSG flow logs are not supported by App Service plan as well it is documented here

Because of the nature of how this technology operates, the traffic that's used with virtual network integration doesn't show up in Azure Network Watcher or NSG flow logs.

The work around in this scenario will be to deploy the Function App in isolated App Service Environment V2 instead.

I understand this limitation is not highlighted in the NSG flow log documentation. I will start a documentation thread to make this update.

Hope this helps! Please let me know if you have any additional questions.

Amar-Azure-Practice 661 Reputation points

2022-05-25T13:57:44.077+00:00

Hi Chaitanya,

thanks for your response, if we use the ASE V2 then we can see all NSG flow logs right?

is this only for Azure functions or webapps/API apps/ Logic Apps (Standard).

if we want to capture NSG flow logs of all the PaaS service like Azure SQL, KeyVault, APIM,Application gateway Load balancers, Service Bus Queue and EventHub what is the right way of doing it.
ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2022-05-25T19:45:56.68+00:00

Hello @Amar-Azure-Practice ,

if we use the ASE V2 then we can see all NSG flow logs right?

Yes, this is correct. I also validated this with similar customer scenarios via our internal tooling.

is this only for Azure functions or webapps/API apps/ Logic Apps (Standard).

if we want to capture NSG flow logs of all the PaaS service like Azure SQL, KeyVault, APIM, Application gateway Load balancers, Service Bus Queue and EventHub what is the right way of doing it.

I think you should be able to capture NSG flow logs for web-apps deployed in ASEv2 version. As per the documentation Logic Apps Standard can be deployed only in ASE v3 and it does not support NSG flow logs.

You can go through the NSG flow logging considerations documentation for a list of not-supported services. If your PaaS service is utilizing Private Link then to log traffic while accessing PaaS resources via private link, enable NSG flow logs on a subnet NSG containing the private link. Due to platform limitations, the traffic at all the source VMs only can be captured whereas that at the destination PaaS resource cannot be captured.

Hope this answers your question. Please let me know if you have any additional questions.
Amar-Azure-Practice 661 Reputation points

2022-05-26T03:54:25.82+00:00

Hi Chaitanya,

Thanks for answering the question.

Most of the part o got the calrification, Only thing that i did not understand is
' Due to platform limitations, the traffic at all the source VMs only can be captured whereas that at the destination PaaS resource cannot be captured.'

Can you please elaborate more on this.
ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2022-05-26T21:45:53.6+00:00

Sure, so if any PaaS service is connected via private endpoint and NSG flow logs are enabled. The traffic destined for PaaS resource in this case is not captured as NSG flow logs don't work for inbound traffic that's destined for a private endpoint. This limitation is also documented here.

Share via

Azure function with NSG and NSG FLow logs

1 answer

Your answer